[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Greg Houston gregory.houston at gmail.com
Thu Sep 25 19:26:13 PDT 2008


On Thu, Sep 25, 2008 at 4:08 PM, Ian Hickson <ian at hixie.ch> wrote:
> form of experimental implementations. Personally I think the idea of
> disabling the contents of a cross-origin iframe that has been partially
> obscured or rendered partially off-screen is the best idea, but whether we
> can adopt it depends somewhat on whether browser vendors are willing to
> adopt it and implement it. It requires no standards changes to implement.

If further restrictions are added to iframes there should be a way to
opt out of them, particularly anything that disables the iframes and
any kind of timeouts. I have a legitimate application where iframes
are regularly being created dynamically, resized, hidden,
re-displayed, moved slightly off screen, and where there may be
multiple iframes overlapping each other at any given moment. My
application is a user interface library where the iframes can be
opened in resizable panels and in resizable, draggable, and
hide-able(minimized) DHTML windows.

The following is a web applications example. There is also a demo for
a web desktop. The web desktop is probably where my users would run
into the most issues, since the windows often have cross-domain iframe
widgets and gadgets in them, which again, can be resized, moved
slightly offscreen, hidden, and moved so that they overlap.

http://mochaui.com/demo/

Also, two or three months back I had asked for a way to disable
iframes manually. We came to the conclusion that Internet Explorer's
setCapture and releaseCapture methods would solve the issue I had. I
don't know if that functionality might also increase some of the
options to the problem trying to be solved here.

- Greg



More information about the whatwg mailing list